| 1 |
On Mon, 2004-02-02 at 20:06, Matthias F. Brandstetter wrote: |
| 2 |
> Hi all security gurus, |
| 3 |
> |
| 4 |
> recently I had a sec. issue with an Apache install. This box is hosting |
| 5 |
> several virtual domains, one was hacked last night :( |
| 6 |
[snip] |
| 7 |
|
| 8 |
> |
| 9 |
> Until I can update the webserver, I need to know 3 things: |
| 10 |
You really should not wait on getting this thing updated. |
| 11 |
And in reality you should also halted this box now and a dd backup |
| 12 |
should be made for later examination. |
| 13 |
If you need to look around poke around at all it should all be done |
| 14 |
while the disk is mounted read-only. |
| 15 |
|
| 16 |
> 1.) how could this guy(s) could get access to this machine, |
| 17 |
(this guy could be a worm) |
| 18 |
|
| 19 |
> 2.) how can one get shell access after exploitng Apache, and |
| 20 |
It depends on the attack vector that was used. |
| 21 |
Without knowing versions of anything here it's hard to answer this |
| 22 |
question. See #3 |
| 23 |
|
| 24 |
> 3.) how to prevent similar attacks in the future? |
| 25 |
For a second lets assume it was the this |
| 26 |
arbitrary code execution via the stack or heap. If that the case then |
| 27 |
your going to want something like PaX && || Grsec. |
| 28 |
depending on your needs. http://pax.grsecurity.net & |
| 29 |
http://grsecurity.net |
| 30 |
Note: PaX is included with grsecurity |
| 31 |
|
| 32 |
> |
| 33 |
> ANY hints, tips, links and suggestions are welcome! |
| 34 |
> Greetings and TIA, Matthias |
| 35 |
-- |
| 36 |
Ned Ludd <solar@g.o> |
| 37 |
Gentoo Linux Developer |
Archives